In May, President Joe Biden mandated that agencies adopt zero trust in his Executive Order on Improving the Nation’s Cybersecurity, and the National Security Agency released a paper a few months ahead of that mandate titled “Embracing a Zero Trust Security Model.” It recommends that critical networks such as national security systems, Defense Department networks and defense industrial base systems use the architecture.
“Even the most skilled cybersecurity professionals are challenged when defending dispersed enterprise networks from ever more sophisticated cyberthreats,” the NSA document states. “Organizations need a better way to secure their infrastructure and provide unified-yet- granular access control to data, services, applications and infrastructure.”
Experts also recommend that agencies extend the zero trust approach to the files employees interact with and exchange on
a daily basis, which can be embedded with malicious code. A technique called content disarm and reconstruction can be used to disassemble files, remove harmful elements and rebuild the files so that they no longer pose a risk.
Jump-starting efforts to modernize security
In the FCW survey, 70% of respondents said they were particularly interested in improving their ability to anticipate and respond to evolving cyberthreats. One key strategy is to shift from relying on
signature-based security, which compares threats to a database
of known malicious code, to behavior-based threat detection. With the help of artificial intelligence, the latter approach identifies anomalies in user or device behavior and blocks access in real time.
89%
FCW survey respondents who said IT modernization is having a positive impact on their agencies’ cybersecurity
55%
FCW survey respondents who said enabling secure collaboration for on-site and remote employees was a priority
14,587 to 30,874
Increase in teleworkers at the Transportation Department from February to March 2020
77%
Federal employees who would like to continue teleworking after the pandemic
Sources: American Federation of Government Employees, FCW and Transportation Department
In addition, many IT
administrators are turning their attention to the way software and other services
are developed and adopting a DevSecOps approach. The General Services Administration’s DevSecOps Guide defines the methodology as “a cultural
and engineering practice that breaks down barriers and opens collaboration between development, security and operations organizations using automation to focus
on rapid, frequent delivery of secure infrastructure and software to production.”
NIST is considering developing a DevSecOps framework and lists a number of ways the approach brings value, such as reducing vulnerabilities and malicious code in software and addressing the root cause of vulnerabilities to prevent recurrences. The methodology could help minimize threats in mobile apps, whose use has skyrocketed during the pandemic.
To address evolving cyberthreats more broadly, the White House and some lawmakers have proposed reforming the Federal Information Security Modernization Act (FISMA) to ensure agencies are following the latest
cybersecurity best practices. FISMA was passed in 2002 and updated in 2014, and Federal Chief Information Security Officer Chris DeRusha said in July that the law could get a makeover again. He specified two main areas for reform: testing and validating security arrangements and increasing security automation.
Although federal offices began reopening in June, many experts believe remote work will continue now that employees and agencies have experienced the benefits
and are working to minimize the risks. In FCW’s survey, 68% of respondents rated the pandemic’s impact on their agencies’ cybersecurity strategies as a 3 or higher on a scale of 1 to 5.
When agencies pivoted quickly to address the challenges that arose during the pandemic, they jump-started the evolution to a more flexible, modern approach to cybersecurity while also empowering employees to be productive from any location. Agencies’ ongoing efforts to future-proof cybersecurity strategies will continue to drive mission success across government.
CYBERSECURITY
by the numbers
SPONSORED CONTENT S-11